Access to Collabspot Portal
- Encrypted Sessions 256-bit TLS 1.0/TLS 1.2
- Authentication is delegated to Google
- Session Timeout
Access to SugarCRM Data
- Encrypted Sessions 256-bit SSL/TLS whenever the SugarCRM server allows it
- Uses username/password for api requests on the extension
- Contact and Calendar Sync:
- Username/Hashed password for older customers (Sugar6 and Sugar7)
- Username/Raw password OR OAuth tokens (for SSO configured instances) for newer customers (Sugar7 only)
Access to Salesforce Data
- Encrypted Sessions 256-bit SSL/TLS
- OAuth 2.0
Access to Google Data
- Encrypted Sessions 256-bit SSL/TLS
- OAuth 2.0
Collabspot’s application is hosted on Google’s server. We use different services :
- Google AppEngine (Portal)
- Google Compute engine (synchronization)
- Google BigQuery (Analytics)
- Google Cloud Storage (Backup)
Google AppEngine: Google is managing the infrastructure and handling the security of the servers. They are automatically updated and patched.
Google Compute engine: As those servers are for synchronization, they do not take any input. They pull information through a TLS connection when they require. The firewall is configured to not let any connection from the external world. SSH Access is opened to specific IP Address on a need basis.
Google BigQuery: Google is managing the infrastructure and handling the security of the servers. They are automatically updated and patched.
Data is always encrypted at rest and in transit between the different services.
Access to the Google Cloud console is limited to the Operation Team and authentication require 2FA.
Google Cloud Platform has annual audits for the following standards:
- SSAE16 / ISAE 3402 Type II:
- ISO 27001, one of the most widely recognized, internationally accepted independent security standards. Google has earned ISO 27001 certification for the systems, applications, people, technology, processes and data centers serving Google Cloud Platform.
- ISO 27017, Cloud Security, This is an international standard of practice for information security controls based on ISO/IEC 27002 specifically for cloud services.
- ISO 27018, Cloud Privacy, This is an international standard of practice for protection of personally identifiable information (PII) in public clouds services.
- FedRamp ATO for Google App Engine
- PCI DSS v3.1
To learn more, see:
Incident Response and Remediation
We monitor our systems 24/7/365 with a variety of performance measurement and error-checking tools.
When a serious incident occurs, or a long interval of downtime is anticipated, we notify our users via our blog, Twitter and/or email.
We work closely with our hosting providers to ensure that underlying systems remain secure, and any security breaches are investigated, patched and remediated promptly.
Our system operations are logged extensively, and the logs are stored for at least a 30-day period in the cloud. If needed, these logs may be mined to investigate incidents or to reconstruct a chain of events.
Should a security breach occur, we will promptly notify affected users of the nature and extent of the breach, and take steps to minimize any damage.
Audits and Compliance
Collabspot platform is built on Google Cloud platform. As such, Collabspot inherit the control environment which Google maintains and demonstrates via SSAE16 SOC 2 and 3, ISO 27001, ISO 27017, ISO 27018, PCI DSS v3.1 and FedRAMP reports and certifications.
Collabspot successfully passed the Salesforce.com Security Review.
We perform regular vulnerability scan using industry standard tools.
Reporting Security Issues
Collabspot takes the security of our products very seriously. We educate our staff on security best practices and our development process includes quality assurance such as peer review to help ensure our products are high quality and secure. However, like all complex software products it is possible that a security vulnerability may be present in one of our products. If you discover a security issue in a Collabspot product or hosted service, we ask that you report it to us confidentially in order to protect the security of our services. Please email the details to our security team at email@example.com. Collabspot’s security team will respond to confirm receipt of your message, review and plan the mitigation of the issue appropriately, as well as set a timeline for a new release or patch. We follow responsible disclosure and will credit researchers when a security issue has been identified and mitigated while adhering to the following specifics.
- You may not use automated tools in your research without our explicit consent. Use of automated tools may result in investigative action or your IP(s) being blocked.
- You make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.
- You give us reasonable time to respond to your report and carry out remediation.
- We credit the first researcher to report an issue. Additionally, we reserve the right to only acknowledge researchers who discover issues in Collabspot products or hosted services, if we determine the issue to be of a high or critical severity, or if there has been continued research or contributions made by the reporter.
- We will credit you with your name and a “no-follow” link to the address of your choosing (e.g. Twitter or personal website).
- We will not bring any lawsuit or begin law enforcement investigation into you if you follow these parameters.